When Acceptable Risk is Not Acceptable
Posted May 9th, 2007 by rybolovBottom Line Up Front: Even if on an organizational basis, the risk is acceptable, on a personal basis, there is no such thing as an acceptable risk.
We have these great Information Assurance frameworks. They’re scalable, modular, and they do work if you know what you are doing.
Then they all fall short in one thing: acceptable risk that is not acceptable. We teach people how to determine if a risk is acceptable. There are several formulas to use. It’s part of the CISSP CBK. At its heart, it’s a cost/benefit/risk comparison. Rationally, we know how to do this as an organization.
However, on a personal level, we live in a risk-avoidance, zero-defects society. To an individual, taking a risk means that you might have personal repercussions, and that is not acceptable. The end result is that we’re back to risk avoidance, which takes us back to the neolithic era of risk management.
So we’re stuck in this dual-standard security world with no end in sight. How do we fix it? I’m not sure, but somehow in order to have effective risk management, you need to establish a culture where it’s OK to fail occasionally.
Similar Posts:
Posted in Risk Management | No Comments »